Ylipäällikkö

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday.

In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide (this section of Wikipedia's article on the OS lists some of its more notable uses). Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks—which was released last week—or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition.

As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis' discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.

"As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions," Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. "As a group, URGENT/11 affect VxWorks’ versions 6.5 and above with at least one remote code execution vulnerability affecting each version."

Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.

Obviously, the seriousness of the exploit would depend on the device itself and where it sits on the network. External-facing devices like firewalls and routers could be pwned to act as the springboard for a larger attack, or embedded devices like industrial appliances could be exploited to cause physical damage.

Additionally, a hacker could cause a denial of service via two of the bugs (CVE-2019-12258, CVE-2019-12259), leak information (CVE-2019-12265), or tamper with devices through logic flaws (CVE-2019-12264, CVE-2019-12262).

Ylipäällikkö

The introduction of Russia's Sovereign Internet rules is having an impact on the way criminal hackers around the world do business.

This is according to security house IntSights, which says that the law, set to become official in a few months, will force many hacking groups to change the way they operate both in Russia and in other countries.

The rule would lead to Russia developing its own standalone network that could be cut off from all connections outside of the country if need be and continue to function.

"It creates this infrastructure that kind of isolates Russia a little bit," Charity Wright, a threat intelligence analyst with IntSights, told The Register ahead of this week's Black Hat conference in Las Vegas.

"A lot of outsiders feel threatened because they feel they may not have access to the Russian internet, but really Russia's intention is to become sovereign over their own infrastructure so if there is an attack to cut them off, they can go on with business as usual."

While the Russian government is notorious for turning a blind eye to criminal hackers (and in some cases even enlisting them for official activities), the new law will still have a major impact on how cybercrime is conducted both within and outside the country.

In particular, hackers operating within Russia will have to make sure that the services they use to conduct attacks, such as VPNs, are either Russian or operate in compliance with the strict sovereign internet requirements that have lead many VPN providers to already pull out of the country.

"Although Russia is not known for cracking down on crime, this is really going to create a new culture for darkweb usage," Wright said.

"They will really have to consider the VPNs they are using and make sure they comply or stop using them."

Those sentiments were echoed by fellow IntSights security pro Andrey Yakovlev, who said that while Russia is tightening its grip on the internet and becoming more insular, it also gives its domestic hackers more motivation to launch attacks outside their borders.

"The sovereign internet will make it much easier for Russian law enforcement to crack down on hackers that target Russian entities," Yakovlev explained in the IntSights Dark Side of Russia report.

"But the government will still likely turn a blind eye to threat actors that target foreign entities – particularly those operating in enemy states, like the United States."

In other words, as hacking within Russia becomes more difficult and dangerous, expect to see Russian hacking groups focus even more of their attention on western countries, where the attacks will not draw a police response.

This is particularly bad news given the technological advantage many Russian hacking crews enjoy. The IntSights team noted that many of the major attacks and exploits to arise in recent months, such as the Windows RDP BlueKeep flaw, were weaponised in Russia long before hackers in other countries were able to get working attack code launched in the wild.

"The Russian underground covers virtually any known type or method of malicious activity," noted Yakovlev.

"If news outlets are talking about it, it is likely Russian cybercriminals have already had it for some time."

Combine that with the stronger motivation to hack outside of Russian borders, and it is shaping up to be a long year for foreign companies in the crosshairs of Russian hacking crews. ®

Eversti

Ylipäällikkö

On Friday, Mac security researcher Patrick Wardle showed how an attacker can repurpose someone else’s Mac malware, create false attribution flags and sidestep Mac anti-malware defenses with ease. The attack scenarios were his own and meant to serve as cautionary examples and reasons why Mac security professionals need to stay on their toes.

The heart of Wardle’s thesis surfaced at the end of his talk here at DEF CON when he highlighted several Mac signature-based malware defenses woefully inadequate when it came to fending off the attacks he created. Far more effective at detecting and warding off threats is a behavioral and heuristics approach to identifying Mac threats, said Wardle, security researcher with Jamf.

The session here proved the point. Wardle laid out a soup-to-nuts attack strategy that likely could be in use by adversaries today. He began his proof-of-concept attack by demonstrating how to repurpose known malware samples and customize them for use in fresh attacks.

Ylipäällikkö

It is possible to discern someone's SSH password as they type it into a terminal over the network by exploiting an interesting side-channel vulnerability in Intel's networking technology, say infosec gurus.

In short, a well-positioned eavesdropper can connect to a server powered by one of Intel's vulnerable chipsets, and potentially observe the timing of packets of data – such as keypresses in an interactive terminal session – sent separately by a victim that is connected to the same server.